In this article

Use this article to identify and resolve issues caused by a transparent DNS proxy.

A transparent DNS proxy intercepts DNS requests intended for DNSFilter and redirects them to a different DNS server without the administrator’s knowledge. When this occurs, DNSFilter never receives the queries, and filtering cannot function correctly.

This is a common cause of failed Site deployments.

Common symptoms

A transparent DNS proxy may be present if:

• A Site remains Offline after configuration
• The dashboard shows no DNS traffic
• End users receive connection failure or DNS error pages
• DNS queries resolve, but policies are not enforced

If DNSFilter is configured correctly but traffic is not appearing in reporting, transparent proxying is a likely cause.

Where proxying typically occurs

Transparent DNS proxying can occur at several levels:

• ISP-level DNS interception or caching
• Firewall or router NAT rules
• Network security appliances
• Endpoint security software

Most cable, DSL, and fiber internet providers in North America and Europe do not proxy DNS traffic.

Transparent DNS proxying is more common with:

• Satellite internet providers (e.g., Starlink)
• Mobile carriers (3G, 4G, LTE, 5G)
• Regions with government-mandated DNS filtering

In these environments, DNS requests are often redirected for performance, caching, logging, or regulatory enforcement.

Why this prevents DNSFilter from working

DNSFilter requires DNS queries to be sent directly to its resolvers. If a device sends DNS traffic to DNSFilter but the ISP or firewall silently redirects that traffic elsewhere, the Site will not activate and policies will not apply.

DNSFilter cannot override ISP-level DNS interception.

How to resolve

Resolution depends on where the proxy is occurring.

If the proxy is local:

• Review firewall or router settings for DNS redirection or NAT rules
• Disable any “DNS redirect,” “DNS enforcement,” or similar security feature
• Confirm no internal DNS server is forwarding queries to another resolver

If the proxy is ISP-level:

• Contact the ISP to confirm whether DNS interception is enabled
• Request that DNS proxying be disabled if possible
• If the ISP cannot disable interception, consider deploying the Roaming Client on endpoints to enforce filtering at the device level

After changes are made, confirm DNS traffic reaches DNSFilter by checking that the Site status changes to Active and DNS queries appear in reporting.